1
2
3
4
5
6
7 package gov.bnl.gums.admin;
8
9 import gov.bnl.gums.*;
10 import org.apache.commons.logging.Log;
11 import org.apache.commons.logging.LogFactory;
12
13 /***
14 *
15 * @author carcassi
16 */
17 public class GUMSAPIImpl implements GUMSAPI {
18 private Log log = LogFactory.getLog(GUMSAPI.class);
19 private Log gumsResourceAdminLog = LogFactory.getLog(GUMS.resourceAdminLog);
20 private Log siteLog = LogFactory.getLog(GUMS.siteAdminLog);
21 private static GUMS gums;
22
23 private GUMS gums() {
24 if (gums == null) {
25 gums = new GUMS(new FileConfigurationStore(CertCache.getConfPath()));
26 }
27 return gums;
28 }
29
30 public String generateGrid3UserVoMap(String hostname) {
31 try {
32 if (isAdmin(currentUser()) || isHostAuthZ(currentUser(), hostname)) {
33 String map = gums().getResourceManager().generateGrid3UserVoMap(hostname);
34 gumsResourceAdminLog.info(logUserAccess() + "Generated grid3 vo-user map for host '" + hostname + "': " + map);
35 return map;
36 } else {
37 throw new AuthorizationDeniedException();
38 }
39 } catch (AuthorizationDeniedException e) {
40 gumsResourceAdminLog.info(logUserAccess() + "Failed to generate grid3 vo-user map for host '" + hostname + "' - " + e.getMessage());
41 siteLog.info(logUserAccess() + "Unauthorized access to generate grid3 vo-user map for host '" + hostname + "'");
42 throw e;
43 } catch (RuntimeException e) {
44 gumsResourceAdminLog.error(logUserAccess() + "Failed to generate grid3 vo-user map for host '" + hostname + "' - " + e.getMessage());
45 throw e;
46 }
47 }
48
49 public String generateGridMapfile(String hostname) {
50 try {
51 if (isAdmin(currentUser()) || isHostAuthZ(currentUser(), hostname)) {
52 String map = gums().getResourceManager().generateGridMapfile(hostname);
53 gumsResourceAdminLog.info(logUserAccess() + "Generated mapfile for host '" + hostname + "': " + map);
54 return map;
55 } else {
56 throw new AuthorizationDeniedException();
57 }
58 } catch (AuthorizationDeniedException e) {
59 gumsResourceAdminLog.info(logUserAccess() + "Failed to generate mapfile for host '" + hostname + "' - " + e.getMessage());
60 siteLog.info(logUserAccess() + "Unauthorized access to generate mapfile for host '" + hostname + "'");
61 throw e;
62 } catch (RuntimeException e) {
63 gumsResourceAdminLog.error(logUserAccess() + "Failed to generate mapfile for host '" + hostname + "' - " + e.getMessage());
64 throw e;
65 }
66 }
67
68 public void manualGroupAdd(String persistanceFactory, String group, String userDN) {
69 try {
70 if (isAdmin(currentUser())) {
71 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
72 ManualUserGroupDB db = factory.retrieveManualUserGroupDB(group);
73 db.addMember(new GridUser(userDN, null));
74 gumsResourceAdminLog.info(logUserAccess() + "Added to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
75 siteLog.info(logUserAccess() + "Added to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
76 } else {
77 throw new AuthorizationDeniedException();
78 }
79 } catch (AuthorizationDeniedException e) {
80 gumsResourceAdminLog.info(logUserAccess() + "Failed to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
81 siteLog.info(logUserAccess() + "Unauthorized access to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
82 } catch (RuntimeException e) {
83 gumsResourceAdminLog.error(logUserAccess() + "Failed to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
84 siteLog.info(logUserAccess() + "Failed to add to persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
85 throw e;
86 }
87 }
88
89 public void manualGroupRemove(String persistanceFactory, String group, String userDN) {
90 try {
91 if (isAdmin(currentUser())) {
92 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
93 ManualUserGroupDB db = factory.retrieveManualUserGroupDB(group);
94 db.removeMember(new GridUser(userDN, null));
95 gumsResourceAdminLog.info(logUserAccess() + "Removed from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
96 siteLog.info(logUserAccess() + "Removed from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
97 } else {
98 throw new AuthorizationDeniedException();
99 }
100 } catch (AuthorizationDeniedException e) {
101 gumsResourceAdminLog.info(logUserAccess() + "Failed to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
102 siteLog.info(logUserAccess() + "Unauthorized access to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "'");
103 throw e;
104 } catch (RuntimeException e) {
105 gumsResourceAdminLog.error(logUserAccess() + "Failed to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
106 siteLog.info(logUserAccess() + "Failed to remove from persistence '" + persistanceFactory + "' group '" + group + "' user '" + userDN + "' - " + e.getMessage());
107 throw e;
108 }
109 }
110
111 public void manualMappingAdd(String persistanceFactory, String group, String userDN, String account) {
112 try {
113 if (isAdmin(currentUser())) {
114 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
115 ManualAccountMapperDB db = factory.retrieveManualAccountMapperDB(group);
116 db.createMapping(userDN, account);
117 gumsResourceAdminLog.info(logUserAccess() + "Added mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
118 siteLog.info(logUserAccess() + "Added mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
119 } else {
120 throw new AuthorizationDeniedException();
121 }
122 } catch (AuthorizationDeniedException e) {
123 gumsResourceAdminLog.info(logUserAccess() + "Failed to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
124 siteLog.info(logUserAccess() + "Unauthorized access to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "'");
125 throw e;
126 } catch (RuntimeException e) {
127 gumsResourceAdminLog.error(logUserAccess() + "Failed to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
128 siteLog.info(logUserAccess() + "Failed to add mapping to persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' to account '" + account + "' - " + e.getMessage());
129 throw e;
130 }
131 }
132
133 public void manualMappingRemove(String persistanceFactory, String group, String userDN) {
134 try {
135 if (isAdmin(currentUser())) {
136 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
137 ManualAccountMapperDB db = factory.retrieveManualAccountMapperDB(group);
138 db.removeMapping(userDN);
139 gumsResourceAdminLog.info(logUserAccess() + "Removed mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
140 siteLog.info(logUserAccess() + "Removed mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
141 } else {
142 throw new AuthorizationDeniedException();
143 }
144 } catch (AuthorizationDeniedException e) {
145 gumsResourceAdminLog.info(logUserAccess() + "Failed to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' - " + e.getMessage());
146 siteLog.info(logUserAccess() + "Unauthorized access to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "'");
147 throw e;
148 } catch (RuntimeException e) {
149 gumsResourceAdminLog.error(logUserAccess() + "Failed to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' - " + e.getMessage());
150 siteLog.info(logUserAccess() + "Failed to remove mapping from persistence '" + persistanceFactory + "' group '" + group + "' for user '" + userDN + "' - " + e.getMessage());
151 throw e;
152 }
153 }
154
155 public String mapUser(String hostname, String userDN, String fqan) {
156 try {
157 if (isAdmin(currentUser()) || isHostAuthZ(currentUser(), hostname)) {
158 String username = gums().getResourceManager().map(hostname, new GridUser(userDN, fqan));
159 gumsResourceAdminLog.info(logUserAccess() + "Mapped on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "' to '" + username + "'");
160 return username;
161 } else {
162 throw new AuthorizationDeniedException();
163 }
164 } catch (AuthorizationDeniedException e) {
165 gumsResourceAdminLog.info(logUserAccess() + "Failed to map on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "' - " + e.getMessage());
166 siteLog.info(logUserAccess() + "Unauthorized access to map on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "'");
167 throw e;
168 } catch (RuntimeException e) {
169 gumsResourceAdminLog.error(logUserAccess() + "Failed to map on host '" + hostname + "' the user '" + userDN + "' / '" + fqan + "' - " + e.getMessage());
170 throw e;
171 }
172 }
173
174 public void mapfileCacheRefresh() {
175 try {
176 if (isAdmin(currentUser())) {
177 throw new RuntimeException("As of GUMS 1.1.0, the mapfile cache is no longer supported. Please use the web service door.");
178 } else {
179 throw new AuthorizationDeniedException();
180 }
181 } catch (AuthorizationDeniedException e) {
182 gumsResourceAdminLog.info(logUserAccess() + "Failed to refresh the mapfile cache - " + e.getMessage());
183 siteLog.info(logUserAccess() + "Unauthorized access to refresh the mapfile cache");
184 throw e;
185 } catch (RuntimeException e) {
186 gumsResourceAdminLog.error(logUserAccess() + "Failed to refresh the mapfile cache - " + e.getMessage());
187 throw e;
188 }
189 }
190
191 public void updateGroups() {
192 try {
193 if (isAdmin(currentUser())) {
194 gums().getResourceManager().updateGroups();
195 gumsResourceAdminLog.info(logUserAccess() + "Groups updated");
196 siteLog.info(logUserAccess() + "Groups updated");
197 } else {
198 throw new AuthorizationDeniedException();
199 }
200 } catch (AuthorizationDeniedException e) {
201 gumsResourceAdminLog.info(logUserAccess() + "Failed to update all groups - " + e.getMessage());
202 siteLog.info(logUserAccess() + "Unauthorized access to update all groups");
203 throw e;
204 } catch (RuntimeException e) {
205 gumsResourceAdminLog.error(logUserAccess() + "Failed to update all groups - " + e.getMessage());
206 siteLog.info(logUserAccess() + "Failed to update all groups - " + e.getMessage());
207 throw e;
208 }
209 }
210
211 public void poolAddAccount(String persistanceFactory, String group, String username) {
212 try {
213 if (isAdmin(currentUser())) {
214 PersistenceFactory factory = (PersistenceFactory) gums().getConfiguration().getPersistenceFactories().get(persistanceFactory);
215 if (factory == null) {
216 throw new RuntimeException("PersistenceFactory '" + persistanceFactory + "' does not exist");
217 }
218 AccountPoolMapperDB db = factory.retrieveAccountPoolMapperDB(group);
219 db.addAccount(username);
220 gumsResourceAdminLog.info(logUserAccess() + "Added account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "'");
221 siteLog.info(logUserAccess() + "Added account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "'");
222 } else {
223 throw new AuthorizationDeniedException();
224 }
225 } catch (AuthorizationDeniedException e) {
226 gumsResourceAdminLog.info(logUserAccess() + "Failed to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "' - " + e.getMessage());
227 siteLog.info(logUserAccess() + "Unauthorized access to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "'");
228 throw e;
229 } catch (RuntimeException e) {
230 gumsResourceAdminLog.error(logUserAccess() + "Failed to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "' - " + e.getMessage());
231 siteLog.info(logUserAccess() + "Failed to add account to pool: persistence '" + persistanceFactory + "' group '" + group + "' username '" + username + "' - " + e.getMessage());
232 throw e;
233 }
234 }
235
236 String logUserAccess() {
237 if (currentUser() == null) {
238 return "No AuthN - ";
239 } else {
240 return currentUser() + " - ";
241 }
242 }
243
244 private boolean isInWeb = false;
245 {
246 try {
247 Class.forName("javax.servlet.Filter");
248 isInWeb = true;
249 } catch (ClassNotFoundException e) {
250 isInWeb = false;
251 }
252 }
253
254 GridUser currentUser() {
255 if (!isInWeb) return null;
256 String DN = CertCache.getUserDN();
257 if (DN != null) {
258 return new GridUser(DN, null);
259 } else {
260 return null;
261 }
262 }
263
264 boolean isHostAuthZ(GridUser user, String hostname) {
265 if (!isInWeb) return true;
266 if (user == null) return false;
267 return user.getCertificateDN().indexOf(hostname) != -1;
268 }
269
270 boolean isAdmin(GridUser user) {
271 if (!isInWeb) return true;
272 if (user == null) return false;
273 if (gums().getConfiguration().getAdminGroup() == null)
274 return false;
275 return gums().getConfiguration().getAdminGroup().isInGroup(user);
276 }
277 }